[jboss-jira] [JBoss JIRA] (WFLY-8760) get method of ModuleClassLoaderLocator requires createClassLoader permission
Ondrej Lukas (JIRA)
issues at jboss.org
Fri May 12 08:20:00 EDT 2017
[ https://issues.jboss.org/browse/WFLY-8760?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ondrej Lukas updated WFLY-8760:
-------------------------------
Description:
There is missing doPriviliged block in ModuleClassLoaderLocator. Fix of WFLY-7412 for ModuleClassLoaderLocator introduces new CombinedClassLoader innner class which extends SecureClassLoader. Initialization of this class needs to createClassLoader RuntimePermission.
That means:
* All deployment which uses API which internally uses ModuleClassLoaderLocator needs createClassLoader RuntimePermission (which is new in EAP 7.1, the same deployments in EAP 7.0 does not need this permission)
** i.e. getMappingContext(String mappingType) in org.jboss.security.plugins.mapping.JBossMappingManager works internally with ModuleClassLoaderLocator.
* setting createClassLoader RuntimePermission for deployment can be dangerous and it should probably use own permission
was:
There is missing doPriviliged block in ModuleClassLoaderLocator. Fix of JBEAP-6559 for ModuleClassLoaderLocator introduces new CombinedClassLoader innner class which extends SecureClassLoader. Initialization of this class needs to createClassLoader RuntimePermission.
That means:
* All deployment which uses API which internally uses ModuleClassLoaderLocator needs createClassLoader RuntimePermission (which is new in EAP 7.1, the same deployments in EAP 7.0 does not need this permission)
** i.e. getMappingContext(String mappingType) in org.jboss.security.plugins.mapping.JBossMappingManager works internally with ModuleClassLoaderLocator.
* setting createClassLoader RuntimePermission for deployment can be dangerous and it should probably use own permission
> get method of ModuleClassLoaderLocator requires createClassLoader permission
> ----------------------------------------------------------------------------
>
> Key: WFLY-8760
> URL: https://issues.jboss.org/browse/WFLY-8760
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Priority: Critical
>
> There is missing doPriviliged block in ModuleClassLoaderLocator. Fix of WFLY-7412 for ModuleClassLoaderLocator introduces new CombinedClassLoader innner class which extends SecureClassLoader. Initialization of this class needs to createClassLoader RuntimePermission.
> That means:
> * All deployment which uses API which internally uses ModuleClassLoaderLocator needs createClassLoader RuntimePermission (which is new in EAP 7.1, the same deployments in EAP 7.0 does not need this permission)
> ** i.e. getMappingContext(String mappingType) in org.jboss.security.plugins.mapping.JBossMappingManager works internally with ModuleClassLoaderLocator.
> * setting createClassLoader RuntimePermission for deployment can be dangerous and it should probably use own permission
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list